Latest Microsoft Windows Server Update Services (WSUS) vulnerability: CVE-2025-59287 #
Microsoft has disclosed a remote code execution (RCE) vulnerability in certain versions of the Windows Server Update Services (WSUS) due to deserialization of untrusted data. Successful exploitation allows a remote, unauthenticated adversary to execute arbitrary code by sending a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism. This vulnerability has been designated CVE-2025-59287 and has been rated critical with a CVSS score of 9.8. There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
- Windows Server 2012 versions prior to 6.2.9200.25728
- Windows Server 2012 (Server Core installation) versions prior to 6.2.9200.25728
- Windows Server 2012 R2 versions prior to 6.3.9600.22826
- Windows Server 2012 R2 (Server Core installation) versions prior to 6.3.9600.22826
- Windows Server 2016 versions prior to 10.0.14393.8524
- Windows Server 2016 (Server Core installation) versions prior to 10.0.14393.8524
- Windows Server 2019 versions prior to 10.0.17763.7922
- Windows Server 2019 (Server Core installation) versions prior to 10.0.17763.7922
- Windows Server 2022 versions prior to 10.0.20348.4297
- Windows Server 2022 (Server Core installation) versions prior to 10.0.20348.4297
- Windows Server 2022, 23H2 Edition (Server Core installation) versions prior to 10.0.25398.1916
- Windows Server 2025 versions prior to 10.0.26100.6905
- Windows Server 2025 (Server Core installation) versions prior to 10.0.26100.6905
What is Microsoft Windows Server Update Services (WSUS)? #
Microsoft Windows Server Update Services (WSUS) provides IT administrators with a way to fully manage and deploy the latest Microsoft product updates, released through Microsoft Update, to computers on their network.
What is the impact? #
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- Windows Server 2012 upgrade to version 6.2.9200.25728 or later
- Windows Server 2012 (Server Core installation) upgrade to version 6.2.9200.25728 or later
- Windows Server 2012 R2 upgrade to version 6.3.9600.22826 or later
- Windows Server 2012 R2 (Server Core installation) upgrade to version 6.3.9600.22826 or later
- Windows Server 2016 upgrade to version 10.0.14393.8524 or later
- Windows Server 2016 (Server Core installation) upgrade to version 10.0.14393.8524 or later
- Windows Server 2019 upgrade to version 10.0.17763.7922 or later
- Windows Server 2019 (Server Core installation) upgrade to version 10.0.17763.7922 or later
- Windows Server 2022 upgrade to version 10.0.20348.4297 or later
- Windows Server 2022 (Server Core installation) upgrade to version 10.0.20348.4297 or later
- Windows Server 2022, 23H2 Edition (Server Core installation) upgrade to version 10.0.25398.1916 or later
- Windows Server 2025 upgrade to version 10.0.26100.6905 or later
- Windows Server 2025 (Server Core installation) upgrade to version 10.0.26100.6905 or later
These are covered by the out-of-band Windows Server updates released on October 23, 2025.
How to find potentially vulnerable systems with runZero #
From the Asset Inventory, use the following query to locate potentially impacted assets:
product:"Microsoft Windows Server Update Services"
